Journalists and activists often use Slack to communicate. Nation states and criminals are interested

The work-toolset company Slack has filed an S-1 securities registration form that was published yesterday. According to Slack, the company is under threat from “sophisticated organized crime, nation-state and nation-state supported actors”.

The document reports that the nature of the threats from “criminal organizations” and “nation-state actors and affiliates” akin and summing up with the “traditional” computer threats such as “hackers, malware, viruses, worms and ransomware, employee theft or misuse, password spraying, phishing […]and DDoS attacks”. According to the document the company is unable to “entirely mitigate” these threats.

The filing states:

“Third parties may attempt to fraudulently induce employees, users, or organizations into disclosing sensitive information such as user names, passwords, or other information or otherwise compromise the security of our internal electronic systems, networks, and/or physical facilities in order to gain access to our data or the data of organizations on Slack, which could result in significant legal and financial exposure, a loss of confidence in the security of Slack, interruptions or malfunctions in our operations, and, ultimately, harm to our future business prospects and revenue.”

Rather than pointing out at a single attack, the company reports that they are actively being threatened by bad actors. The report mentions March 2015’s breach, when an unknown person or group had been able to access information such as user names, email addresses, passwords, information, and phone numbers stored. As a response the company introduced a two-factor authentication to access the platform.

Last month, CSO Online reported that a group of hackers had been using an undocumented backdoor program designed to interact with attackers over Slack. The breach was detected by security firm Trend Micro during targeted attack launched from the “compromised” website of the “Korean American National Coordinating Council”. It was the first time Slack had been used that way.

All of this happens just before the company will be made public. The general trend for most of the tech companies preparing to go public is to have some section in their S-1 mentioning the risk of unauthorized access to their platforms and ultimately users’ data. Public companies such as Twitter and Facebook are also continuously exposed to hacks and leaks.

Although there was no mention to “organized crime” or “nation-state actors”, Snapchat, Lyft, PagerDuty and Uber’s S-1 files all contain reports of past hacks. Just as Slack, they are claiming that the attacks are impossible to prevent.

Slack has for the moment refused to give more details. They are among the several companies that, thanks to technology and connectivity, are now huge databases exposed to all sorts of attentions.